Merge branch 'master' of github.com:wpscanteam/wpscan

CHANGELOG.md

@@ -1,6 +1,52 @@
 # Changelog
 ## Master
-[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.7...master)
+[Work in progress](https://github.com/wpscanteam/wpscan/compare/2.8...master)
+
+## Version 2.8
+Released: 2015-06-XX
+
+New
+* Warn the user to update his DB files
+* Added last db update to --version option (see #815)
+* Add db checksum to verbose logging during update
+* Option to hide banner
+* Continue if user chooses not to update + db exists
+* Don't update if user chooses default + no DBs exist
+* Updates request timeout values to realistic ones (and in seconds)
+
+Removed
+* Removed `Time.parse('2000-01-01')` expedient
+* Removed unnecessary 'return' and '()'
+* Removed debug output
+* Removed wpstools
+
+General core
+* Update to Ruby 2.2.2
+* Switch to mitre
+* Install bundler gem README
+* Switch from gnutls to openssl
+
+Fixed issues
+* Fix #789 - Add blackarch to readme
+* Fix #790 - Consider the target down after 30 requests timed out requests instead of 10
+* Fix #791 - Rogue character causing the scan of non-wordpress site to crash
+* Fix #792 - Adds the HttpError exception
+* Fix #795 - Remove GHOST warning
+* Fix #796 - Do not swallow exit code
+* Fix #797 - Increases the timeout values
+* Fix #801 - Forces UTF-8 encoding when enumerating usernames
+* Fix #803 - Increases default connect-timeout to 10s
+* Fix #804 - Updates the Theme detection pattern
+* Fix #816 - Ignores potential non version chars in theme version detection
+* Fix #819 - Removes potential spaces in robots.txt entries
+
+WPScan Database Statistics:
+* Total vulnerable versions: 98
+* Total vulnerable plugins:  1076
+* Total vulnerable themes:   361
+* Total version vulnerabilities: 1104
+* Total plugin vulnerabilities:  1763
+* Total theme vulnerabilities:   443
 
 ## Version 2.7
 Released: 2015-03-16

lib/wpscan/web_site.rb

@@ -54,10 +54,7 @@ class WebSite
 
     redirected_uri = URI.parse(add_trailing_slash(add_http_protocol(url)))
     if response.code == 301 || response.code == 302
-      redirection = response.headers_hash['location']
-      if redirection[0] == '/'
-        redirection = "#{redirected_uri.scheme}://#{redirected_uri.host}#{redirection}"
-      end
+      redirection = redirected_uri.merge(response.headers_hash['location']).to_s
 
       return redirection if url == redirection # prevents infinite loop
 

spec/lib/wpscan/web_site_spec.rb

@@ -116,12 +116,24 @@ describe 'WebSite' do
 
         expect(web_site.redirection).to eql absolute_location
       end
+
+      context 'when starts with a ?' do
+        it 'returns the absolute URI' do
+          relative_location = '?p=blog'
+          absolute_location = web_site.uri.merge(relative_location).to_s
+
+          stub_request(:get, web_site.url).to_return(status: 301, headers: { location: relative_location })
+          stub_request(:get, absolute_location)
+
+          expect(web_site.redirection).to eql absolute_location
+        end
+      end
     end
 
     context 'when multiple redirections' do
       it 'returns the last redirection' do
-        first_redirection  = 'www.redirection.com'
-        last_redirection   = 'redirection.com'
+        first_redirection  = 'http://www.redirection.com'
+        last_redirection   = 'http://redirection.com'
 
         stub_request(:get, web_site.url).to_return(status: 301, headers: { location: first_redirection })
         stub_request(:get, first_redirection).to_return(status: 302, headers: { location: last_redirection })

spec/spec_helper.rb

@@ -5,6 +5,8 @@ require 'webmock/rspec'
 # Code Coverage (only works with ruby >= 1.9)
 require 'simplecov' if RUBY_VERSION >= '1.9'
 
+RSpec::Expectations.configuration.warn_about_potential_false_positives = false
+
 require File.expand_path(File.dirname(__FILE__) + '/../lib/common/common_helper')
 
 SPEC_DIR                      = ROOT_DIR + '/spec'

wpscan.rb

@@ -39,6 +39,8 @@ def main
 
     if wpscan_options.version
       puts "Current version: #{WPSCAN_VERSION}"
+      date = last_update
+      puts "Last DB update: #{date.strftime('%Y-%m-%d')}" unless date.nil?
       exit(0)
     end
 
@@ -58,10 +60,15 @@ def main
       elsif input =~ /^a/i
         puts 'Scan aborted'
         exit(1)
+      else
+        if missing_db_file?
+          puts critical('You can not run a scan without any databases.') 
+          exit(1)
+        end
       end
     end
 
-    if wpscan_options.update || missing_db_file?
+    if wpscan_options.update
       puts notice('Updating the Database ...')
       DbUpdater.new(DATA_DIR).update(wpscan_options.verbose)
       puts notice('Update completed.')